PART I
Is Compliance Really Just Complacence?
You’ve built a thriving business, earned a powerful brand in the marketplace, and deliver goods and services around the globe with world-class speed and efficiency. As a Global 2000 leader, you naturally have the best interests of your employees and your customers at heart, have painstakingly earned their trust, and would never willfully do anything to put them at risk. You’re confident that you provide a secure and trusted online presence, employ rigorous information security safeguards, and do everything necessary to protect the valuable data in your charge. You’ve invested heavily in people, processes, and technology, and truly believe that you’re doing all the right things. Don’t look now, but you might be deluding yourself.
Since industry-specific data security and privacy regulations now apply to most sectors of the economy in the United States, you probably find yourself falling under one or more of the following regulatory categories:
- Financial Services—Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB)
- Healthcare—Health Insurance Portability and Accountability Act (HIPAA)
- Retail—Payment Card Industry Data Security Standard (PCI DSS)
- Government Contractors—Federal Information Security Management Act (FISMA)
- Industrial Control and SCADA Systems—National Institute of Standards and Technology (NIST)
You take your compliance obligations seriously and devote great amounts of time and energy to ensure that your business meets all applicable legal and regulatory requirements. Despite best efforts and intentions, disturbing questions still gnaw at you. You ask yourself, “Does compliance standing alone truly make things sufficiently secure and keep sensitive data away from theft or exploitation?” Then you wonder, “How much more should I be doing?” Well, what if I told you that by focusing on compliance you’re really only doing the minimum necessary to keep the government regulators off your back and that compliance bears but a slim relationship to true data security?
Commitment to Strong Security Practices or Just Toeing the Line?
You passed an audit—hooray! But don’t pop the champagne corks quite yet. Just because you, or your auditors, certify that your business has met narrowly-defined, industry-specific information systems management requirements for the applicable reporting period doesn’t necessarily mean that all of your enterprise data or internal systems are safe from attack by outside interests or misuse from inside sources. How can this be? Don’t government regulations exist to ensure our safety? If only it were this simple. In reality, it all comes down to the ways in which rules are made, namely through legislation and through regulations.
Legislative processes in a democracy are messy, slow, and fraught with political compromise, often resulting in watered-down laws designed to obtain just enough votes to pass the chamber. Even good, noncontroversial bills are routinely held up, delayed, or filibustered for months—or entire congressional sessions—by legislators seeking publicity or near-term political gain. Lawmakers frequently trade their support for one bill in exchange for another legislator’s vote on a different matter in an age-old congressional process known as “logrolling.” Finally, obscure or unpopular legislative “riders” with slim prospects of passing on their own merits are frequently attached to popular or “must pass” bills covering completely different legal subjects, leading to the passage of convoluted Frankenlaws consisting of multiple unrelated parts.
Regulatory processes are no better. Under authority granted to them by Congress in broad, general terms, the responsible agency typically conducts a months-long study, promulgates new proposed regulations based on the study findings, and then opens an often-lengthy public comment period. After reviewing the initial comments, the agency then revises the regulations, waits again for public comments, and then ultimately publishes the final version of the requirements in the Federal Register—regulations which take effect at a future date, often the following January 1 or July 1. Businesses need time to absorb and adapt to these new regulations, and then a year later, an audit tells them whether or not they have successfully interpreted the changes.
Wow! All through this extended time period, technology steadily advances and human ingenuity methodically progresses, including the actions of threat actors on a worldwide stage. New data security and privacy perils steadily emerge, while existing dangers morph or retreat across the ever-changing threatscape. Legislation and regulation are also highly mutable over time, as they are subject to shifting political trade winds. As a result, they can change course or even reverse themselves as presidential administrations come and go. Ultimately, legislation and regulations often significantly lag behind, and poorly reflect, the actual threats they are intended to address.
Protecting the Enterprise against Trust-Based Attacks
To truly protect your critical data and server infrastructure, you must look beyond parochial compliance requirements and take a broader view of your overall information security practices, specifically in relation to protecting information assets against trust-based attacks. First, conduct a full and complete inventory of all encryption keys and digital certificates, plus all authentication keys used within the enterprise. Use the strongest mainstream cryptography possible to secure these digital assets and then enforce robust security policies across your enterprise without exception. Understand trust relationships between users, keys, and the systems and servers they properly access. Replace weak signing algorithms and short key lengths, use trustworthy certificate authorities, and shorten key and certificate validity periods to one year. Monitor authentication and encryption usage patterns and alert when anomalies are detected. Finally, ensure that you have the ability to rotate all keys and certificates if a security breach is ever detected or suspected.
No CEO or CISO wants to tell stakeholders that he or she is doing just the minimum required by compliance requirements—and not everything possible—to protect the enterprise and its customers against trust attacks.
If you strive to achieve strong security practices for their own sake, you will invariably find yourself exceeding the compliance requirements of the applicable laws and regulations in your industry. If you strive primarily for compliance, however, you will likely fall short of minimum practices necessary to achieve true data security and leave yourself vulnerable to trust-based attacks on the keys and certificates that enable enterprises to secure critical information systems.
Learn how Venafi can help protect your encryption and authentication assets against trust-based attacks to achieve both industry compliance and strong data security practices across the enterprise.